Last updated: April 30, 2026
When you create an account, we collect your name, email address, and either a password or the basic profile information returned by Google sign-in (name, email, profile picture). As you use Kinako, we store the data you enter — clients, projects, invoices, proposals, contracts, notes, files, expenses, and meeting transcripts. We also collect technical information when you sign in or use the service: IP address, browser and device user agent, and session activity (so you can see and revoke active sessions). Basic usage analytics (pages visited, features used, performance metrics) are collected to improve the product.
Your data is used to provide and improve Kinako, to send transactional messages (account, billing, share-link, and reminder emails or SMS), to detect and prevent abuse, and to comply with our legal obligations. We do not sell your personal information. We do not use your business data — clients, projects, financial information, contracts, notes — for advertising or to train machine-learning models. The legal bases we rely on are performance of our contract with you, our legitimate interest in operating and securing the service, your consent (where applicable), and compliance with law.
Some features (drafts for proposals, contracts, invoices, follow-ups, action items, meeting summaries, revenue insights) use Anthropic's Claude API. When you use these features we send the relevant content you've entered — for example client names, project details, intake responses, or meeting notes — to Anthropic so they can generate a response. Anthropic does not use this content to train its models. AI output is generated and may be inaccurate, so you should always review it before sending anything to a client.
We use the following services (subprocessors) to operate Kinako:
When you send a proposal, contract, invoice, welcome doc, or intake form to a client, Kinako generates a share link. Anyone with that link can view the document, sign it, pay it, or submit responses to it. If a client submits an intake form, signs a contract, leaves a testimonial, or pays an invoice, the information they provide is stored in your account. You are the controller of that client information; we process it on your behalf to deliver the service.
All data is transmitted over HTTPS. Database access is protected by row-level security policies — you can only access your own data. File uploads are stored in private buckets with signed, time-limited access URLs. Two-factor authentication (TOTP) is available in your settings. We log sign-in events and active sessions so you can review and revoke devices that shouldn't have access.
Depending on where you live, you may have rights under laws such as the GDPR, the UK GDPR, the CCPA, or the Australian Privacy Act. These can include the right to access the personal information we hold about you, correct it, delete it, receive a portable copy, restrict or object to certain processing, and withdraw consent. To exercise any of these rights, email us at the address below and we will respond within 30 days.
We keep your account data for as long as your account is active. To delete your account, email us at the address below and we will permanently remove your data (clients, projects, files, invoices, contracts, notes) within 30 days. Some records may be retained for longer where required by law — for example, billing records that tax authorities require us to keep, or limited authentication and audit logs needed to investigate fraud or abuse.
Kinako is operated from Australia, and our subprocessors (Supabase, Stripe, Vercel, Anthropic, Resend, Twilio, Upstash, Google) may store and process data in the United States, the European Union, or other regions. Where required, transfers rely on standard contractual clauses or equivalent safeguards put in place by those providers.
We use essential cookies for authentication and session management. We do not use third-party advertising cookies or run advertising scripts.
Kinako is built for independent professionals and is not intended for anyone under 16. We do not knowingly collect personal information from children. If you believe a child has signed up, contact us and we'll delete the account.
If we make significant changes to this policy, we will notify you by email. Minor clarifications may be made without notice.
Questions about your data, or want to exercise a privacy right? Reach us at jhayden@kinako.app